How the FTC's Privacy Measures Could Impact the Efforts of IT Security and Fraud Detection

To anyone interested in advancing the state of online consumer privacy, the notion of the U.S. Federal Trade Commission further limiting the types of information that companies can collect about specific users and/or their devices – or forcing those companies to detail the data they gather more openly – seems like a beneficial idea.

However, as some IT security industry experts have pointed out, the FTC’s latest efforts – detailed in the agency’s “Preliminary Report on Protecting Consumer Privacy” (published in Dec. 2010) – may actually hurt or hinder the ability of certain security vendors and/or applications to carry out their own work in protecting end users.

The report, which sets forth a set of more stringent practices for both limiting data collection and forcing businesses to provide greater transparency into the specific information they are aggregating, certainly holds a lot of merit at first glance.

Forcing companies to tell us more about what data they’re actually keeping, and why, is just the type of legislation that consumer privacy advocates have been clamoring for since the initial boom of e-commerce sites over a decade ago.

But the measures could also make it harder for security technologies that depend on such information to have maximum impact to stop attacks, or enable criminals to engineer new ways around these forms of protection, as some have already observed.

Consider online banking tools that take into account issues such as a device’s geographical location or the speed at which users enter their passwords to help prevent e-banking fraud.

Removing some of that capability, or providing technical details about its use to the public (namely attackers themselves), could clearly prove problematic.

One of the most detailed criticisms of the FTC efforts arrived in the form of a letter sent to the agency (and republished by the company on its site) by online anti-fraud and authentication vendor ThreatMetrix.

The same rules that are applied to companies using consumer/device information to target advertising – a primary target of the FTC work – shouldn’t be leveled upon security applications providers, argues ThreatMetrix VP of Marketing Bert Rankin in the missive.

“The importance of cyber security, and the nature of the data collected, requires that it be treated differently than the treatment accorded consumer data collected for behavioral advertising purposes,” he writes. “Detailed disclosure creates a number of adverse impacts to electronic commerce while not adding materially to privacy protection. Detailed disclosure may reduce consumer welfare by providing fraudsters with critical information to circumvent cyber security.”

If the FTC ultimately decides not exclude or make exceptions for security firms, then disclosure required for security purposes should be “standardized to be limited solely to a statement that data provided by a consumer or the consumer’s device will be used for fraud detection,” the ThreatMetrix official contends.

As you might have guessed, the company’s tools, which promise to offer device recognition with and without cookies, including cloud-based services, would likely be somewhat compromised if the FTC measures are adopted.

And anyone who uses online banking applications such as those offered by industry giant Bank of America knows that many large businesses have adopted similar tools to help protect against account hijacking and fraud.

If you live in New York and someone in Moscow is suddenly trying to log into your account, it’s very helpful for the bank to be able to see that activity and intervene. In fact, every year when I go on vacation to Montreal for the F1 races, I end up having to call my own bank when they shut down my ATM card once I start using it to make large cash withdrawals late at night.

It bothers me that they can’t figure out that I follow the same patterns every year, but at the same time I’ll take inconvenience over the alternative.

Meanwhile, in addition to the FTC efforts, both the Obama Administration and members of Congress such as former presidential candidate Sen. John Kerry (D-MA) are in the process of crafting their own recommendations for stricter control over data collection.

Balancing matters of security and privacy has always been a complex issue, but as legislators seek to limit unsavory or unauthorized data collection it’s clear that there’s still a lot of work on both sides that needs to be done to reach some sort of conclusion.

Otherwise we may sacrifice security for privacy, and that doesn’t seem to make much sense at all.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including stints writing for CNET News.com, eWeek and InfoWorld. Hines is currently employed as director of product marketing at RedSeal Systems, a maker of security posture management software. He lives and works in his hometown of Boston, Mass.